01-27-2024 09:48 AM
Hi dears
I have one asr1001-x on our edge network.
Based on our policy I must do nat all customer network when it comes to my network.
Some network do static nat and others do dynamic.
All things are OK till I want to delete one nat.
When I delete on nat (static or dynamic) all sessions get packet loss.
I changed asr1001-x with 4331 and there wasn't any problem on 4331
Do you have any idea or recommendations?
Thanks
01-27-2024 09:56 AM
Hello @m.ebrahimi.isc ,
can you share the following:
01-27-2024 10:09 AM
when you delete NAT you need
first shut the interface use as IP nat inside
then delete the dynamic NAT
otherwise you face this issue
BTW the router should warning you when delete some NAT
MHM
01-27-2024 10:13 AM
And also if you have dynamic NAT translations in the NAT table that are related to the NAT you want to delete, the router will not allow the operation.
01-27-2024 10:45 AM
When I delete on nat (static or dynamic) all sessions get packet loss.
above statement may have some effected depends on what you deleting as others mentioned, we need to see what is that config you removed - which causing the issue.
you need to also give us information - on ASR 1K what IOS code running and also on 4331 what code running
Do you have any idea or recommendations?
we can only play in dark here - if and but - that not going to resolve the issue. so we suggest provide the config and logs you see when you had issue to suggest.
Other end you can also raise an TAC case to help - if this is urgent.
01-27-2024 08:37 PM
Here is my network topology
Here is my router configuration
******************************************************************
Interface Configuration
******************************************************************
interface GigabitEthernet0/0/0
description To-Customer
ip address 192.168.38.2 255.255.255.0
ip nat inside
end
interface GigabitEthernet0/0/1
description To-MyNetwork
ip address 20.30.40.50 255.255.255.0
ip nat outside
end
******************************************************************
Static Nat Configuration
******************************************************************
ip nat inside source static 10.200.9.39 172.16.1.5
******************************************************************
Dynamic NAT Configuration
******************************************************************
ip host Shop-C0100 172.20.1.10
ip nat pool Shop-C0100 172.20.1.10 172.20.1.10 netmask 255.255.255.252
ip nat inside source list Shop-ACL-C0100 pool Shop-C0100 overload
ip access-list extended Shop-ACL-C0100
10 permit ip 10.7.162.0 0.0.0.63 host 192.168.10.10
******************************************************************
Deleting NAT Procedure
******************************************************************
Conf t
no ip host Shop-C0100 172.20.1.10
no ip nat pool Shop-C0100 forced
no ip access-list extended Shop-ACL-C0100
no ip nat inside source list Shop-ACL-C0100 pool Shop-C0100 overload forced
****************************************************************************************
When the configurations are being set, there is no issue. The problem arises when a customer requests the removal of definitions for one of its branches. According to the configuration mentioned above, after removing the settings related to this branch, all branches experience a packet loss, creating this problem for us. Interestingly, this issue is only present in router 1001. In the lab, I replaced router 1001 with router 4331, continued the process, and by deleting one branch, no other branches were affected
01-28-2024 12:16 AM
what is the IOS / IOS XE code running this device - (show version)
There are some bugs reported some time back when the NAT configuration change having some issue example bug :
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu75584
Try latest 17.9.4a Cisco recommend version and test it. (if you are already in that version - then personally think this may be bug, worth opening a TAC Case).
01-28-2024 02:17 AM
I updated to last version (17.9.4a) two days ago but not solved.
01-30-2024 11:18 AM
Suggest to raise a TAC case - ask for them to troubleshoot for you.
01-28-2024 12:33 AM
There is only one IP in pool and use use mask 252?
MHM
01-28-2024 02:20 AM
When you want to configure pool for dynamic NAT you must define start and end of nated IP and after that must define subnetmask.
Cisco doesn't accept 255.255.255.255 for subnet mask based on bellow log:
%Pool Shop-C2901 mask 255.255.255.255 too small; should be at least 255.255.255.252
01-28-2024 03:33 AM
Show nat translate
Show nat statistics
Share this
MHM
01-28-2024 03:15 AM
Hello
@m.ebrahimi.isc wrote:
When I delete on nat (static or dynamic) all sessions get packet loss
.
ip nat inside source static 10.200.9.39 172.16.1.5
Lets focus of the static nat statement, as this is the least impacting (well it shouldn’t be)
You say when you remove that static NAT statement your customers located behind the inside nat domain that are not related to this static nat experience outage?
It sounds like the forcing of the nat is being globally applied thus tearing down ALL translations, so just to confirm when you force the deletion it is specific to that static nat statement correct?
Is it possible you can run the following and post the results :
no logging console
ip access-list extended nat permit ip host 10.200.9.39 any
debug ip nat 15 mapping
clear ip nat translation inside 10.200.9.39 172.16.1.5 forced
no ip nat inside source static 10.200.9.39 172.16.1.5 forced
01-29-2024 05:31 AM
Dear Paul
I think when I clear the specified NAT there is no effect on the router because there isn't any debug log on the router.
When I set each bellow commands all session get packet loss.
no ip nat pool Shop-C0100 forced
no ip nat inside source list Shop-ACL-C0100 pool Shop-C0100 overload forced
01-29-2024 01:08 PM
Until now we dont know if the ASR crash or the NAT is issue here'
As @paul driver mention' use
Debug ip nat (you can use acl to make router show only debug for specific host or subnet)
Then check if taffic is NATing even if you remove NAT statement.
Again share show ip nat statistics
This will give us some hint about drop out-to-in or in-to-out
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide